Identifying processes running as svchost.exe

I have previously written about experiences with systems becoming unresponsive and reporting svchost.exe utilizing 99% of the CPU. Since so many different .dll’s run as this generic host process, identifying exactly which program is the cause of the high CPU usage is often difficult.

According to KB314056, the Svchost.exe file is located in the %SystemRoot%\System32 folder. At startup, Svchost.exe checks the services part of the registry to construct a list of services that it must load. Multiple instances of Svchost.exe can run at the same time. Each Svchost.exe session can contain a grouping of services. Therefore, separate services can run, depending on how and where Svchost.exe is started. This grouping of services permits better control and easier debugging.

Windows XP Pro has a built in function that can be run from a command prompt called tasklist.exe that provides information useful in tracking down the offending programs.

Running tasklist.exe with no switches will provide a list of running processes, their PID, console type and memory usage. Notice svchost.exe is shown as PIDs 1448, 1508, and 1856.

To determine which PID is running which service, run

tasklist.exe /SVC

Notice the additional information that is shown about which instances services are run from.

You can list services and applications on a remote system by running

tasklist.exe /s remoteIPaddress

or

tasklist.exe /s remoteComputerName

If you want even more detail about the process and applications running, type:

tasklist /M

This will show which .dlls are in use by the processes.

If you want to isolate a service shared from svchost.exe, My Green Paste has a nice post on manipulating this service via the registry.

Once you’ve isolated the offending process that is causing the excessive resource utilization, use taskkill.exe to kill the offending application. You may need to specify the /F switch to force the offending process to be killed.

Obviously killing the wrong processes can crash your machine, and editing the registry can make it unbootable, so before making changes make sure you have a recent backup.

[edited 01-24-2008]

Ask the Performance Team has published a new post on svchost.exe with some really detailed information. I think the methods of creating isolated processes and isolated service groups would be most helpful in troubleshooting performance and bottleneck issues.